![3
Intro
void fire_thrusters(double
vectors[12]) {
for (int i = 0; i < 12 i++) {
... vectors[i] ...
}
}
double thruster[3] = ... ;
fire_thrusters(thruster);
●
In C, array types of parameters degrade to pointer types.
●
The size is ignored!
●
No protection from passing a mismatched array.](https://image.slidesharecdn.com/codeql-presentation-191223183232/85/Semmle-Codeql-3-320.jpg)
Semmle Codeql
- 3. 3 Intro void fire_thrusters(double vectors[12]) { for (int i = 0; i < 12 i++) { ... vectors[i] ... } } double thruster[3] = ... ; fire_thrusters(thruster); ● In C, array types of parameters degrade to pointer types. ● The size is ignored! ● No protection from passing a mismatched array.
- 4. 4 Intro ● …to find all instances of the problem. import cpp from Function f, FunctionCall c, int i, int a, int b where f = c.getTarget() and a = c.getArgument(i).getType().(ArrayType).getArraySize() and b = f.getParameter(i).getType().(ArrayType).getArraySize() and a < b select c.getArgument(i), "Array of size " + a + " passed to $@, which expects an array of size " + b + ".", f, f.getName()
- 5. 5 Intro ● CodeQL Consists of: – QL: the programming language for CodeQL code analysis platform. – CLI: run queries – Libraries: QL libraries – Databases: contains all the things needed to run the queries ● Used for Variant Analysis
- 7. 7 Intro - Tools ● Standalone CodeQL CLI ● Interactive Query Console (lgtm.com) ● IDE extensions – Eclipse – VSCode
- 9. 9 Intro – Interactive Query Console
- 10. 10 Intro – VSCode Extension
- 11. 11 ● What you need to run queries – CodeQL CLI tool – Query libraries – A database ● Installing VSCode and CodeQL extension – Alternatively Eclipse + CodeQL extension – Add CodeQL cli to your env ● ~/.config/Code/User/globalStorage/github.vscode-codeql/distribution1/codeql/codeql ● It might vary on your machine Installation
- 12. 12 ● Install CodeQL CLI or ● Install VSCode and CodeQL extension – Alternatively Eclipse + CodeQL extension – Add CodeQL cli to your env – ~/.config/Code/User/globalStorage/github.vscode-codeql/distribution1/codeql/codeql ● It might vary on your machine Installation
- 13. 13 Installation ● Running codeql database create ● Importing a database from lgtm.com $ codeql database create <database> --language=<language- identifier> --language: cpp/csharp/go/java/python/javascript --source-root: the root folder for the primary source files (default = current directory). --command: for compiled languages only, the build commands that invoke the compiler.
- 14. 14 Writing QL Queries ● QL – logic programming language – built up of logical formulas – Object oriented ● Basic syntax from /* ... variable declarations ... */ where /* ... logical formulas ... */ select /* ... expressions ... */ // Example: from int x, int y where x = 6 and y = 7 select x * y
- 15. 15 Writing QL Queries ● Python import python from Function f where count(f.getAnArg()) > 7 select f ● Java ● JavaScript import java from Parameter p where not exists(p.getAnAccess()) select p import javascript from Comment c where c.getText().regexpMatch("(?si).*bTODOb.*") select c
- 16. 16 Writing QL Queries ● Formulas <expression> <operator> <expression> // Comparison <expression> instanceof <type> // Type check <expression> in <range> // Range check exists(<variable declarations> | <formula>) forex(<variable declarations> | <formula 1> | <formula 2>) forall(<vars> | <formula 1> | <formula 2>) and exists(<vars> | <formula 1> | <formula 2>) Two formulas in the body: It holds if <formula 2> holds for all values that <formula 1> holds for. ● Aggregates ● Common aggregates are count, max, min, avg (average) and sum. from Person t where t.getAge() = max(int i | exists(Person p | p.getAge() = i) | i) select t
- 17. 17 Writing QL Queries ● Predicates ● The name of a predicate always starts with a lowercase letter. ● You can also define predicates with a result. In that case, the keyword predicate is replaced with the type of the result. This is like introducing a new argument, the special variable result. For example, int getAge() {result = ...} returns an int. predicate southern(Person p) { p.getLocation() = "south" } from Person p where southern(p) select p
- 18. 18 Writing QL Queries ● Classes – instanceof ● You might be tempted to think of the characteristic predicate as a constructor. However, this is not the case - it is a logical property which does not create any objects. class Southerner extends Person { Southerner() { southern(this) } } from Southerner s select s class Child extends Person{ /* the characteristic predicate */ Child() { this.getAge() < 10 } /* a member predicate */ override predicate isAllowedIn(string region){ region = this.getLocation() } }
- 19. 19 Writing QL Queries ● Annotations – abstract, finaal, overrise, private, ... ● Recursion – Transitive closures + – Reflexive transitive closure * ● Name Resolution – Qualified references (import examples.security.MyLibrary) – Selections (<module_expression>::<name>)
- 20. 20 Variant analysis ● Control flow analysis (CFA) allows you to inspect how the different parts of the source code are executed and in which order. Control flow analysis is useful for finding vulnerable code paths that are only executed under unlikely circumstances. ● Data flow analysis (DFA) is the process of tracking data from a source, where it enters an application, to a sink, where the data is used in a potentially harmful way if it's not sanitized along the way. ● Taint tracking typically refers to untrusted – or tainted – data that is under partial or full control of a user. Using data flow analysis, tainted data is tracked from the source through method calls and variable assignments – including containers and class members – to a sink. ● Range analysis (or bounds analysis) is used to investigate which possible values a variable can hold, and which values it will never hold. This is useful information in various lines of investigation. ● Semantic code search allows you to quickly interrogate a codebase and identify areas of interest for further investigation. This is valuable to identify methods having a particular signature, or variables that may contain credentials.
- 21. 21 Variant analysis - Modules ● semmle.code.cpp.dataflow.DataFlow – IsSource : defines where data may flow from – IsSink : defines where data may flow to – HasFlow : performs the analysis ● semmle.code.cpp.dataflow.TaintTracking – IsSanitizerGuard : optional, restricts the taint flow
- 22. 22 Variant analysis ● Analyzing data flow in C/C++ import cpp import semmle.code.cpp.dataflow.TaintTracking class MyTaintTrackingConfiguration extends TaintTracking::Configuration { MyTaintTrackingConfiguration() { this = "MyTaintTrackingConfiguration" } override predicate isSource(DataFlow::Node source) { ... } override predicate isSink(DataFlow::Node sink) { ... } }
- 23. 23 Variant analysis - Example import semmle.code.cpp.dataflow.DataFlow class EnvironmentToFileConfiguration extends DataFlow::Configuration { EnvironmentToFileConfiguration() { this = "EnvironmentToFileConfiguration" } override predicate isSource(DataFlow::Node source) { exists (Function getenv | source.asExpr().(FunctionCall).getTarget() = getenv and getenv.hasQualifiedName("getenv") ) } override predicate isSink(DataFlow::Node sink) { exists (FunctionCall fc | sink.asExpr() = fc.getArgument(0) and fc.getTarget().hasQualifiedName("fopen") ) } } from Expr getenv, Expr fopen, EnvironmentToFileConfiguration config where config.hasFlow(DataFlow::exprNode(getenv), DataFlow::exprNode(fopen)) select fopen, "This 'fopen' uses data from $@.", getenv, "call to 'getenv'"
- 24. 24 ● Almost all materials are burrowed from Semmle.com – https://help.semmle.com/QL/learn-ql/index.html – https://help.semmle.com/QL/ql-training/cpp/intro-ql-cpp.html – https://marketplace.visualstudio.com/items?itemName=github.vscode-codeql ● Get help – https://discuss.lgtm.com/latest – https://stackoverflow.com/questions/tagged/semmle-ql Recaps
- 25. 25 Thank you